0

I followed the steps mentioned in: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway

and added a self signed certificate as an pfx file to the azure apim. Then I used this Rest API: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#:~:text=Gateway%20Certificate%20Authority%20-%20Create%20Or%20Update

to connect the certificate to the self hosted gateway and then added policy to my APIs, like in this page: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#validate-client-certificate

The certificate was created with this workflow:

pwd='Pa$$w0rd'
pfxFilePath='selfsigncert.pfx'
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out selfsigncert.crt -subj /CN=localhost

openssl pkcs12 -export -out $pfxFilePath -inkey privateKey.key -in selfsigncert.crt -password pass:$pwd
openssl pkcs12 -in selfsigncert.pfx -out selfsigncert.pem -nodes

The key authentication was disabled for testing purpose.

The problem now is that if I try to reach my self hosted gateway with curl it doesn't work. Depending on which version of curl I'm using I get different error messages:

Preinstalled version of curl:

C:\path>curl -v https://localhost:80/echo/resource?param1=sample --cert-type pem --cert selfsigncert.pem --tls-max 1.2
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
* schannel: SSL/TLS connection with localhost port 80 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with localhost port 80 (step 2/3)
* schannel: encrypted data got 120
* schannel: encrypted data buffer: offset 120 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
* Closing connection 0
* schannel: shutting down SSL/TLS connection with localhost port 80
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

and the newest version of curl:

C:\curl\bin>curl -v https://localhost:80/echo/resource?param1=sample --cert-type pem --cert selfsigncert.pem --tls-max 1.2
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: C:\curl\bin\curl-ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number

Thanks for the help.

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
high5
  • 37
  • 1
  • 6
  • 1
    Hi, yes the solution is to give the right common name/dns name during the creation of the certificate. After that a gateway hostname must be createt inside the gatewaypanel of the self hosted gateway. – high5 Nov 22 '21 at 08:11
  • You can add this as an answer and accept it so that it can be helpful to other community members who may face the same problem. – Ecstasy Nov 22 '21 at 08:13

0 Answers0